TeamViewer is software that organizations have long used to enable remote support, collaboration, and access to endpoint devices.
Like other legitimate remote access technologies, it is also something that attackers have used with relative frequency to gain initial access on target systems.
Further investigation showed the attackers had gained initial access to both endpoints via TeamViewer.
On one of the computers, the threat actor spent just over seven minutes after gaining initial access via TeamViewer, while on the other, the attacker's session lasted more than 10 minutes.
Huntress' report did not say how the attacker might have taken control of the TeamViewer instances in both cases.
Senior threat intelligence analyst at Huntress, says that some of the TeamViewer logins appear to be from legacy systems.
Carvey says it is possible that the threat actor was able to purchase access from an initial access broker, and that the credentials and connection information may have been obtained from other endpoints through the use of infostealers, a keystroke logger, or some other means.
Previous TeamViewer Cyber Incidents There have been several past incidents where attackers have used TeamViewer in similar fashion.
One was a campaign last May by a threat actor looking to install the XMRig cryptomining software on systems after gaining initial access via the tool.
Incident logs showed the threat actor had gained an initial foothold in the victim environment via TeamViewer.
Much earlier, Kaspersky in 2020 reported on attacks it had observed on industrial control system environments that involved the use of remote access technologies such as RMS and TeamViewer for initial access.
There have also been incidents in the past - though fewer - of attackers using TeamViewer as an access vector in ransomware campaigns.
TeamViewer's remote access software has been installed on some 2.5 billion devices since the eponymously named company launched in 2005.
Last year, the company described its software as currently running on more than 400 million devices, of which 30 million are connected to TeamViewer at any time.
The software's vast footprint and its ease of use has made it an attractive target for attackers, just like other remote access technology.
How to Use TeamViewer Securely TeamViewer itself has implemented mechanisms to mitigate the risk of attackers misusing its software to break into systems.
The company has claimed that the only way an attacker can access a computer via TeamViewer is if the attacker has the TeamViewer ID and associated password.
Using the software's Block and Allow list features to restrict access to specific individuals and devices;.
The company has also pointed to TeamViewer's support for conditional access policies that allow administrators to enforce remote access rights.
In a statement to Dark Reading, TeamViewer said that most instances of unauthorized access involve a weakening of TeamViewer's default security settings.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 19 Jan 2024 21:40:17 +0000